The business logic behind stress testing services is that site owners should have the right to test and benchmark the security and performance of their websites. Stress testing owners offer a service that “in theory” is supposed to be used for legitimate purposes.
Here is a collection of reasons why we believe that stress testing services fail to show that their business is legitimate.
- Site ownership: Stress testing services do not provide any common means to verify that the attacker really owns the website. There are dozens of known well mechanisms where site ownership can be proofed to a third party. Typical means are e-mail verification, placing certain content inside of the website or adding special DNS records. Stress testing services fail to provide adequate means to ensure that the traffic is sent with the consent of the site owner.
- Traffic Generation: Many of the attack vectors available in the stress testing sites require reflection techniques to achieve traffic amplification. This amplification is always built abusing third party infrastructure (DNS, NTP, Game Servers,…). To our knowledge, we are not aware of any stress testing service that can deliver more than 10 Gbps without amplification or using compromised services.
- Traceability: Stress testing services ensure that the attacker is untraceable, something that is not consistent with the logic that the site owner is testing his own services. Why untraceability is so important in these services?
- High Collateral Damage: Stress testing services have a high impact in third party infrastructure and neighbors of the victims.
- Free is better: The idea that free stress testing services are legitimate as there is no money or ransom involved is flawed. Free packages are designed to allow attackers to test the services and purchase larger plans.
- FBI does not shut them down: One of our readers have sent us a very interesting message via the contact form. The argument is: Stress Testers must be legal as FBI does not shut them down. Unfortunately we ignore what is the criteria used by FBI to select one stresser and not another. Ideas?
For these reasons we believe that there is no grounds to consider stress testing services a legitimate business in the way they are currently deployed. There is no space for doubt and those that argue that is “difficult to judge” are part of the problem. It is difficult to sell bullet proof vests when there are no guns!